GDPR Art. 22 automated decision-making: How did your DPO handle the documentation burden?

We just went through a SOC 2 Type II audit and the auditor flagged our ML-based loan scoring pipeline under GDPR Art. 22. The tricky part isn't the technical safeguards — it's documenting the 'meaningful information about the logic involved' in a way that satisfies both the legal team and the technical review. Our DPO ended up requiring a separate model card for every production model that touches EU data subjects. Curious how other teams structured this: do you use a centralized compliance artifact repo, or embed the documentation directly into the model registry? EU/DE context, but interested in how US teams handle similar CCPA requirements.